Windows Forensics and Incident Recovery



This page is for listing tools described and used in my book.


FCIV - Microsoft released an interesting file integrity tool. The tool can compute and verify file hashes, using an XML database.

Pref - Prefetch directory tool mentioned in my blog. This tool parses the contents of the Prefetch directory and gets MAC times for all of the files. Make sure to read the readme file in the archive.

Pref_ver - Prefetch directory tool mentioned in my blog. This tool parses the contents of the layout.ini file and looks for executable files, based on file extension (.exe, .dll, .sys). When it finds one, it attempts to retrieve file version information from the file. Make sure to read the readme file in the archive.

Tools associated with the book. The archive includes bho.exe to view Browser Helper Objects (hiding place of spyware) on the local system, keytime.exe to view LastWrite time of Registry keys, ver.exe to retrieve version information from executable files, sigs.exe for performing file signature analysis (output in .csv format) and windata.exe for retrieving operating system, service, and process information from local or remote systems (output in .dat/.csv files in the local directory).

Drive Info tool - associated with the book. Displays drive information from local and remote systems.

DiamondCS is the site to go to in order to get OpenPorts and CmdLine.

See this MS KB article for a tool called "chknic.exe", which is part of the Windows 2003 Resource Kit. The tool gets information about NICs and runs on XP and 2003.

Go to the NTSecurity site for PEriscope, PMDump, PromiscDetect, PStoreView, and others.

Check out SysInternals for PSTools, Handle, ListDLLs, AccessEnum, AutoRuns, LogonSessions, etc.

Spyware and Adware Tools
Adware and in particular spyware is a huge problem on systems today. This problem affects corporate systems as well as home users. In fact, this has been so much of a problem that CERT has even recommended that a browser other than IE be used. Below are some links to tools that are highly effective in helping protect you from spyware:

The first step is to install and update anti-virus software. Keep it up to date.

PestPatrol is an excellent commercial product to help protect you from spyware infections, as well as from other malware infections. Does this protect you from some of the same things that your anti-virus software protects you against? Yes...but that's a good thing. PestPatrol comes in corporate and home user flavors. As with other tools, keeping your definitions up to date is key. I recently ran a fully registered version of PestPatrol on a friend's computer and detected 75 bad things. After removing them and rebooting the system, I updated PP and ran it again...only to find 65 more bad things!

SpyBot Search and Destroy is an excellent donation-ware tool for detecting and removing spyware from your system. If you download it and try it, be sure that you keep it up to date.

AdAware is an old standby when it comes to removing spyware. When I say "old", what I mean is that it's the product I'm most familiar with, but that doesn't mean that it's not extremely effective.

SpyWare Blaster lets you be a bit more proactive by not allowing spyware to install in the first place.

There are other tools available, that you'll hear about from friends or read about in trade journals. Spyware is a huge problem so there are always more and more tools to protect against, as well as detect and remove, this annoying software. Whatever you decide to use, my primary recommendations are to use more than one tool, and keep your tools updated.












© 2004 H. Carvey